Don’t Share Passwords. Privacy is not Absolute. Radio Show- 2018-09-08
Segway has some new fun Technology and I will discuss it today.
Business Email Compromise is on the Rise. I will tell you why and how the hackers are going after small businesses.
People are still not patching their routers. Also a new Router vulnerability this time against routers used worldwide by ISPs. I will explain who, how and what you can do about it.
Craig will be release some video securiy nuggets during the month of September. Watch for them.
Craig is putting up a new membership site (Yes, it is free, but you have to sign up) On it will have all his special reports that he puts out and you will be the first to get them.
- You’re Not Alone If Your Share Your Email Password – But There Are Hidden Dangers
- Threats To Our Privacy: Tech Industry Told ‘Privacy Is Not Absolute’ And End-To-End Encryption ‘Should Be Rare’
- Business Email Fraud Attacks Jump 25%
- Unpatched Routers Being Used To Build Vast Proxy Army, Spy On Networks
- Segway’s Drift E-Skates Aren’t Nearly As Dangerous As They Look
Airing date: 09/08/2018
Don’t Share Passwords. Privacy is not Absolute. BEC the new hacker scam to beware of. Mikrotik ISP routers have been hacked.
Craig Peterson: [00:00:00] Hey, Good Morning, everybody. Craig Peterson here and we’ve got a lot to cover today as usual. I don’t if you’ve been getting some of my e-mails. Hopefully, you do, if you’re not subscribed go to Craig Peterson dot com slash subscribe. We keep all kinds of great information there and we send out alerts about Hacks and about some of the latest things including I am now producing a whole bunch of what I’m calling nuggets. These are pieces of information short videos that I think are going to make a big difference in your life particularly in your business. So, keep an eye out for those wonderful nuggets. Those are videos I’m kind of releasing all over the place including on my Web site. Today we’re going to talk about something that really concerns me and this is about the Five I’s. If you haven’t heard about them they are affecting your life in potentially a very big way in the future. Segway has some real cool new devices out. We’re going to talk about the latest one that they have and I don’t know if I’d buy this, but there are some other ones I might buy but,
[00:01:06] this is really cool. If you are an employer or an employee you’re not alone, if you share your e-mail password with co-workers. By the way, it’s a dangerous thing to do. Hackers are trying to scam you again, and this is all about the e-mail scams business e-mail compromises that the FBI has been warning about, and, of course, that’s a very, very big deal too. Unpatched router’s Yeah, yeah, a huge proxy army spying on networks and it turns out it’s not just your home routers anymore that they have control over. No, no, no. The bad guys have control over some of the routers that your Internet service provider may have provided to you. So, all of that and more stick around. Here we go. Well, the Five I’s are countries that cooperate together. And they’ve been cooperating for a long time. In fact, some of this has come up as part of this so-called Russian investigation that’s been going on, because apparently the British were being used to spy on President Trump and feed information back to the Department of Justice, the FBI, and maybe even the Hillary Clinton campaign.
[00:02:34] Well, what are the five I’s and what are they doing. Bottom line, we’re talking about the U.S., the U.K., Canada, Australia, and New Zealand. These five countries that cooperate on spying on each other’s citizens. Now, that’s a very, very, big deal of course. Some of these countries also spy on their own citizens, as well. We’re finding out more as the in-depth analysis is being done of the Mueller probe. But, the whole idea here is, if I’m in the United States and I have somebody who is a citizen of the U.S. that I suspect might be a bad guy, they might be bringing drugs in, they might be part of a terrorist network. I can’t do a whole lot. Unless they call outside of the country, or they call into the country from outside. Once the communications leave the borders in the United States it’s no longer considered. well kind of like privileged, right. They cannot just willy-nilly grab that data, grab your voice, et cetera. But, another country can and that’s what’s been happening. So, for instance in the case of these so-called Russian collusion operations, the U.K. apparently was spying on, wire tapping some of President Trumps communications, and some of his campaign workers communications as well. So, it’s a very, very, big deal because they are gathering all of this.
[00:04:09] They are gathering stuff that, even they admit is illegal. You remember the story I talked about here just a few weeks ago, where the National Security Agency went ahead and deleted three years worth of telephone intercept data because they weren’t sure if some of it was legally obtained or not. So, it’s frankly a very, very big deal and it’s a scary thing. Well, they came out with a statement after they met, and they just met, and that you know that part is a little concerning to what they’re doing but they are spying worldwide, and they’re very concerned because they cannot decrypt a lot of the communications. Now, they can intercept them obviously. That’s why the Five I’s exist so they can spy on each other’s citizens, which is a problem right there, right. So, they can spy on each other citizens. But, here’s where the big problems come in, and for them they can certainly intercept communications that are encrypted, but they cannot do much with them. In fact, they can’t do anything with some of them. So, they met, and they came up with a statement. Now, this is really interesting. Here’s a statement on privacy or part of it, privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute. The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire, and use the content of that data is a pressing international concern.
[00:05:48] Each of the Five Eyes jurisdictions will consider how to best implement the principles of this statement, including with voluntary cooperation of industry partners. Any response be it legislative or otherwise will adhere to requirements for proper authorization and oversight. Now we’ve had this debate before. You might remember, if you’re old enough, during the Clinton administration, they were trying to force these clipper chips down everybody’s throat, they are oh so safe, it’s all so wonderful. And, it turned out that in fact there were back doors in them. So, the government could listen in. So, this is something we’ll keep an eye on. We’re going to watch see what happens. There are veiled threats to businesses in there, saying, hey basically if you don’t comply, with you know, law enforcement, if they want to gain access to something, then bad things going to happen to you. It’s really scary. But, next up let’s talk about something kind of fun. OK, let’s move into the fun category now. I know the guy who who started this company, right here in Manchester, New Hampshire. The company is called Segway. I’ve met him a few times, I’ve interviewed him a couple of times, and been very involved with U.S. First which I think is an absolutely fantastic program for kids to learn and get inspired.
[00:07:15] It really is. In fact, that’s kind of their whole thing now is inspiring kids. So, it’s a really good thing. Remember, there was all of this hype about the Segway. How it’s going to change the world? And, we certainly have seen Segway’s around. I went on a tour over in France, in Lyon, in southern France and it was really very cool because we were on Segways we could go very quickly, when we needed to, or wanted to. And, then we could kind of stop and talk and look around at everything. I loved it. I want to go on more Segway tours, now. If you haven’t done one, you should try it because it’s it’s very easy and it’s rather intuitive. I think you might well enjoy it. Well, they have come up with a few different models over the Segway. You have some now that just kind of fit between your legs so you’re not even standing, fully. They have one with kind of a seat, I’ve seen before. I think that’s not actually a Segway. Now, they have roller skates. I guess they’re calling them e-skates. The drift, is what they’re calling them now drift w-one it’s going to be available in stores sometime soon.
[00:08:37] But these skates use the same self balancing technology as Segway’s other better known products. So, shifting your body weight controls acceleration and deceleration. Now, if you’ve worn roller skates before or roller blades you know you strap them on your feet and sometimes you get out of control and you fall. And, I’ve taken a couple of big spills on those as well and I had protection on at the time, but you fall. That’s because you’re feet are strapped and you can’t do much about it. If you lose your balance, et cetera. Well, these E-skates you just stand on. So you are standing on one on each foot. So they are independent they are individual. I saw some video of somebody using these, which is really kind of cool, because you can step off of it very easily. Much like you can with a regular Segway. Just step off the skate if you’re starting to lose your balance you can take one foot off and put it on the ground. But, it is really, really neat. So, they can only tilt forward and backwards just that single access. So, there’s no risk at all of rolling your ankles, like there are for roller blades etc. And, it’s really kind of cool.
[00:09:53] The attendants who were at this show, that just happened, where they were shown, over in Berlin, the IFA, that show. It’s a really cool show, but we’ll get into that right now. But, the really cool thing about these roller skates is the attendants were able to just say. Just get on it and do what comes naturally. Because, they really have got the right sensors in these skates now too to detect what you’re trying to do. So, much like a regular Segway you kind of lean forward a little bit to go forward. You, can go backwards on these things if you lean back a little bit and apparently it just takes a few minutes to get relaxed in control which is about what it took me to get used to the Segway over there in France. My 80 year old father’s even gone, for the very first time, on a Segway tour. This was in southern Utah. He went down very, very pretty area and perfect again for a Segway tour because you just zoom around and enjoy the sights as you’re going. But, he didn’t have too many problems I guess he fell off once said 80 years old, that’s not bad. But he really enjoyed it absolutely would do it again. I don’t know if I want to try these little, little E-skates again. Keep an eye out for them. The called the drift Segway drift. But, I can tell you I probably would try them. They’re only going to be a few hundred bucks, apparently, versus the thousands for the big Segways. But, it should be kind of fun. All right, a few of you are sharing passwords. You’re not alone.
[00:11:39] Now, we we know a lot of people over the years that are sharing passwords, and obviously that’s a problem, right. And you know sharing your password with your computer is one thing, and it’s it’s bad. OK, it’s pretty bad. But sharing your password with someone for your e-mail account, it looks like it’s even badder than than just sharing your basic password. Now, for your computer and here’s why, people don’t choose great passwords for their e-mail accounts. And, a lot of times that workers will kind of share and say OK here listen while I’m gone here’s my password. Get on check because I’m expecting this from a client, or that from a vendor, et cetera. And so people share their passwords, and you hope there’s no real ramification certainly nothing as bad as missing an order, or missing the delivery problem, right. Doesn’t that make sense to you?
[00:12:41] Well, there are ways to have group and shared accounts. We do this. I’ve got to tell you every time we’ve gone into a business to clean up after there’s been a hack and wow it’s really bad. 100 percent of the time they’ve been sharing passwords, 100 percent of the time. And, one of the ways that these bad guys get in is, let’s say there’s a problem with a hack on a big company, and they’re able to steal usernames and passwords. Guess what they now have, they have a username and password that they know worked at this company that just stole it from, right. So Yahoo, for instance, because we know they lost more than a billion accounts information. So, let’s just say Yahoo for the lack of another example, right now. But Yahoo has usernames passwords are stolen, or some other small Web site out there that you’re using. Most people are using the exact same password for their accounts on every site. So, they use the same username which is often their business e-mail, unless it’s obviously just a straight up personal thing that might have a personal e-mail, but most people just have the two e-mails.
[00:14:11] So, they their business e-mail is shared now with another person along with a password for that account.
[00:14:21] So, now that other person gets in and starts using it. Now, remember that that password has been compromised in this scenario so, somebody else out there, a bad guy knows it. So, now someone internal to your company knows it and maybe even multiple people, now know it. And, what’s been turning out is that there have been a number of kind of vengeance hacks where someone who knows someone else’s password gets into the network, after the fact. So, make sure companies use set up group mails when it comes to your accounts receivable, accounts payable, any sort of customer transactions use a group mailbox, use of forwarder, there’s lots of ways to do it. We do it all of the time for customers. So, make sure that happens. Don’t allow employees to share passwords. If you’re an employee insist that the manager set up a group password or group account, I should say, a group email account. Set up some sort of group e-mail account so, you’re not held liable. So, your username and password are not used to hack the company at a later point in time, by one of your former fellow employees or potentially even worse. By the way, this survey found that three out of five small businesses that suffered a breach are likely to go out of business within six months.
[00:15:52] Ok, that’s a pretty standard statistic, I’ve seen. Usually, it’s around 50 percent. In this case, they’re showing 60 percent. So, you do not want to have a breach. There’s all kinds of stats, and if you want to go to my Web site Craig Peterson dot com, you’ll see it right there. Now, here’s our next our article here. It’s another scam that’s been very successful for the hackers. Now, cyber criminals have been out there since the days of computers, really. You know initially, initially, initially probably not so many, but there have been over the years, a whole lot of these bad guys. While they’re now turning more and more of their efforts to business email compromise scams, as well as, telephone scams, and they’re using these to steal funds that are causing billions of dollars in fraud losses over the past few years according to statistics from the FBI. And, I get reports from the FBI almost every day, certainly every week, about new variations of these e-mails scams. Now, the scammers are typically targeting employees with access to company finances, payroll data, and other personally identifiable information. So, this particular report looked at 3000 randomly selected business e-mail compromise attacks.
[00:17:25] Now, it said type of spam, spam e-mail. Obviously it’s been called spear phishing before, and now it’s called a business email compromise, because they’re doing some amazing things here. They’re trying to trick the e-mail recipients into doing a wire transfer to a bank owned by the attacker in half of the cases. Isn’t that amazing? So, once the money’s out of your bank account because you’re just wired it, bam it’s in the attackers account within 90 seconds. And, if they own the bank, they are not going to cooperate with any sort of investigation. So, some other types of attacks include getting recipients to click on a malicious link, that’s 40 percent of the time, and those malicious links are then used to install spyware on your computer, or to verify that you are who they think you are. They also use them to establish rapport with the victim, and stealing personal identifiable information, that makes up the last 13 percent here. So, very simple e-mails. So, a subject like vendor payment. Hey, Joe, are you around? I need to send a wire transfer ASAP to a vendor from Jane.
[00:18:44] Now, they’re going to find who the CEO is or a high level executive. In this case that company had a high level executive a CEO, COO named Jane. So, they figured that out. How do they figure that out? Well, they probably just went to the company’s Web page. Go to my company’s Web page Mainstream dot net there you will not find any information about any of the officers, who they are. and then Hey Joe, obviously, they know who Joe is and they can find that also probably on the company’s Web page, right under officers. It’s crazy what people put up there. And the other easy way to find it is just to go to LinkedIn. You can scan around you can find tons of stuff about businesses, small businesses and otherwise. So, about 60 percent of these business e-mail attacks do not involve a malicious link. So, it’s just a plain text e-mail attempting to trick them into performing a wire transfer, or some other sensitive information. It’s really scary. So, here’s the people there are attacking, right. Forty-three-percent of the time they are impersonating, the CEO or founder and they are attacking the CFOs, finance, H.R. people, C-level executives, CEOs and others across the companies, is about half. So, why would they go after H.R. person? We’ll so they can get the W-2 information so they now have Social Security numbers, names, addresses.
[00:20:20] Think of everything H.R. has. So, here’s what you should do to keep company safe. All of this is up on my Web site, by the way, Craig Peterson dot com. Prohibit wire transfers from going out without an in-person conversation or phone call. That means contact the CEO, right if Jane sent you that e-mail you’ve got Jane’s number, call her. I don’t care if she’s on vacation, in fact, that’s often when they will target someone they see on Facebook. Hey, Jane’s going on vacation she’s going to be in Bermuda’s, she’s going to be on her ship, She’s not going to be able to have communications. And that’s when they go after it. Take caution with e-mails from the CEO. All right. Because they’re the most likely ones to be impersonated. So, if they make a request that seems a little unusual pick up the phone and call them. Obviously, if you are responsible for training in a company, make sure that you’ve got a training program in place, deploying an e-mail protection system that stops these type of spear phishing attacks, Cyber fraud attacks. So, it goes on and on. Very good, Very interesting and there’s a lot of information about this. If you go to Craig Peterson dot com slash security, you might be overwhelmed.
[00:21:34] But, that’s what our golden nuggets are all about. I’m producing now throughout the month of September. These nugget nuggets of information about how to stay safe. And we’re going to lead all of that up to an offer that I’m going to have in October. So, we’ll talk about that as well to help you completely clean up all of these problems, but keep an eye out for my nuggets. You’ll be seeing them on Craig Peterson dot com in fact, to put it up a little Coming soon thing on the site. So, next stop you’d think we were past this point. Now unpatched Routers. OK. We’ve got multiple malware campaigns right now, and they’re spreading the hacks of gear from a company called microtik. Now this is probably not a name you’re familiar, if you’re a business person hopefully you’re using current Cisco gear, not old stuff. Hopefully, it’s patched and kept up to date, as well. Right. If you’re a regular old home user you might be familiar with companies like D-link or Netgear, neither of which I use in my home, because of all of the problems they’ve had over the years. You definitely should not be using those in your business. Well, microtik posted a software update for a vulnerability that was found earlier this year.
[00:23:11] But, researchers have found themselves, that more than almost 400,000 of these routers they’ve identified on the Internet were still vulnerable. People are not applying the patches. Now, here’s what’s kind of really scary about them. We’ve got 7500, that we know of, that are being actively spied on by attackers, they are actively forwarding full captures of all to the network traffic to a number of remote servers, OK. Just crazy. Another quarter million, of these hacked routers, have been turned into proxies. So, they are being used to again send the data off to the bad guys. So what data, all of your data. Now, here’s the part that is the part that basically explains, why you don’t know about these guys. They are providing hardware for Internet services providers, including campus network infrastructure at schools. They provide equipment for outdoor fiber routers, wireless backbones, OK. It goes on and on. Now, these routers are all over the world. Some of the largest concentration are in Brazil and Russia, here. A lot of the ISP’s are using Cisco gear, but there’s 14,000 they’ve already identified here in the U.S. So, again can you trust the hardware that you get from your ISP? Probably not, 100 percent. So, what are you going to do about it.? I can tell you what we do. We don’t use the hardware that they give us.
[00:24:54] Right. So, they’ve they’ve got Modem of some sort or terminal device. We feed that directly into some really good hardware, that we’ve installed, that we control, that providing high levels of Firewall. So, it’s a very big deal. Microtik, keep an eye out, if you are again a business, and this is really important or if you have quite a bit of money that you want to protect. Make sure you get rid of that router at the edge of your network, that’s provided by Internet service provider. Get rid of it. Let’s go ahead and do something reasonable. Contact a company that knows what they’re doing with security firewalls et cetera. And, unfortunately I got to tell you that 99 percent of them, we have not met very many companies, and we deal with them all over the country, here, that really know what they’re doing most most of them have no clue, they’re just selling a box and pushing it. But, anyhow that’s what’s going to happen in October. Keep an eye out for my nuggets. Make sure you sign up at Craig Peterson dot com. We’ll be all kinds of good security nuggets we’re going to be putting out. Have a great week, and we’ll be back again, next week with more tech talk with Craig Peterson, see you then.